The affected script was "install.py" located in GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/Resources

In this script, a temporary lock file was created using the following method:

lockfilename = '/tmp/.keystone_install_lock'

# Make sure that root and user can share the same lockfile

oldmask = os.umask(0000)

# os.O_EXLOCK is 32, but isn't defined on 10.4 (python2.3)

lockfile = os.open(lockfilename, os.O_CREAT | os.O_RDWR | 32, 0666)

This appears to get executed on every Chrome update, offering attackers frequent opportunities to attack the statically named, insecurely created temporary file. To exploit this issue, a local attacker would create a symbolic link from "/tmp/.keystone_install_lock" to a file they wanted to have created by the victim. When created, the files will be created with permissions that allow reading and writing by all users of the system. There are a number of files that users can write in their home directories that control access to various resources. Using this method to create such files could allow an attacker to then edit the content of those files and lead to local privilege escalation or information disclosure.